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Abstract. Proof search has been used to specify a wide range of computation systems. In order to build a framework 
for reasoning about such specifications, we make use of a sequent calculus involving induction and co-induction. 
These proof principles are based on a proof theoretic (rather than set-theoretic) notion of definition [13,20, 25,51]. 
Definitions are akin to (stratified) logic programs, where the left and right rules for defined atoms allow one to view 
theories as "closed" or defining fixed points. The use of definitions makes it possible to reason intensionally about 
syntax, in particular enforcing free equality via unification. We add in a consistent way rules for pre and post fixed 
points, thus allowing the user to reason inductively and co-inductively about properties of computational system 
making full use of higher-order abstract syntax. Consistency is guaranteed via cut-elimination, where we give the 
first, to our knowledge, cut-elimination procedure in the presence of general inductive and co-inductive definitions. 

1 Introduction 

A common approach to specifying computation systems is via deductive systems. Those are used to specify and 
reason about various logics, as well as aspects of programming languages such as operational semantics, type theories, 
abstract machines etc. Such specifications can be represented as logical theories in a suitably expressive formal logic 
where proof-search can then be used to model the computation. A logic used as a specification language is known 
as a logical frameworks [39], which comes equipped with a representation methodology. The encoding of the syntax 
of deductive systems inside formal logic can benefit from the use of higher-order abstract syntax (HOAS) [40], a 
high-level and declarative treatment of object-level bound variables and substitution. At the same time, we want to use 
such a logic in order to reason over the meta-theoretical properties of object languages, for example type preservation 
in operational semantics [26], soundness and completeness of compilation [32] or congruence of bisimulation in 
transition systems [27]. Typically this involves reasoning by (structural) induction and, when dealing with infinite 
behavior, co-induction [23]. 

The need to support both inductive and co-inductive reasoning and some form of HOAS requires some careful 
design decisions, since the two are prima facie notoriously incompatible. While any meta-language based on a X- 
calculus can be used to specify and animate HOAS encodings, meta-reasoning has traditionally involved (co)inductive 
specifications both at the level of the syntax and of the judgements — which are of course unified at the type-theoretic 
level. The first provides crucial freeness properties for datatypes constructors, while the second offers principle of case 
analysis and (co)induction. This is well-known to be problematic, since HOAS specifications lead to non-monotone 
(co)inductive operators, which by cardinality and consistency reasons are not permitted in inductive logical frame- 
works. Moreover, even when HOAS is weakened so as to be made compatible with standard proof assistants [12] such 
as HOL or Coq, the latter suffer the fate of allowing the existence of too many functions and yielding the so called 
exotic terms. Those are canonical terms in the signature of an HOAS encoding that do not correspond to any term in 
the deductive system under study. This causes a loss of adequacy in HOAS specifications, which is one of the pillar of 
formal verification, and it undermines the trust in formal derivations. On the other hand, logics such as LF [21] that 
are weak by design [10] in order to support this style of syntax are not directly endowed with (co)induction principles. 

The contribution of this paper lies in the design of a new logic, called Line - (for a logic with A,-terms, induction 
and co-induction), 3 which carefully adds principles of induction and co-induction to a higher-order intuitionistic logic 
based on a proof theoretic notion of definition, following on work (among others) Lars Hallnas [20], Eriksson [13], 
Schroeder-Heister [51] and McDowell and Miller [25]. Definitions are akin to logic programs, but allow us to view 
theories as "closed" or defining fixed points. This alone allows us to perform case analysis independently from induc- 
tion principles. Our approach to formalizing induction and co-induction is via the least and greatest solutions of the 



3 The "minus" in the terminology refers to the lack of the V quantifier w.r.t. the eponymous logic in Tiu's thesis [56]. 



fixed point equations specified by the definitions. Such least and greatest solutions are guaranteed to exist by impos- 
ing a stratification condition on definitions (which basically ensures mono tonicity). The proof rules for induction and 
co-induction makes use of the notion of pre-fixed points and post-fixed points respectively. In the inductive case, this 
corresponds to the induction invariant, while in the co-inductive one to the so-called simulation. 

The simply typed language underlying Line - and the notion of definition make it possible to reason intensionally 
about syntax, in particular enforcing free equality via unification, which can be used on first-order terms or higher- 
order A--terms. In fact, we can support HOAS encodings of constants without requiring them to be the constructors of 
a (recursive) datatype, which could not exist for cardinality reasons. In particular we can prove the freeness properties 
of those constructors, namely injectivity, distinctness and case exhaustion. Judgements are encoded as definitions 
accordingly to their informal semantics, either inductive or co-inductive. Definitions that are true in every fixed point 
will not be given here special consideration. 

Line - can be proved to be a conservative extension of FOX A1N [25] and a generalization with a higher-order 
language of Martin-L6f [24] first-order theory of iterated inductive definitions. Moreover, to the best of our knowledge, 
it is the first sequent calculus with a syntactical cut-elimination theorem for co-inductive definitions. In recent years, 
several logical systems have been designed that build on the core features of Line - . In particular, one interesting, 
and orthogonal, extension is the addition of the V-quantifier [14,31,56,57], which allows one to reason about the 
intentional aspects of names and bindings in object syntax specifications (see, e.g., [15,58,59]). The cut elimination 
proof presented in this paper can be used as a springboard towards cut elimination procedures for more expressive 
(conservative) extensions of Line - such as the ones with V. Here lies the added value of the present paper, which 
extends and revises a conference paper published in the proceedings of TYPES 2003 [33]. In the conference version, 
the co-inductive rule had a technical side condition that is restrictive and unnatural. The restriction was essentially 
imposed by the particular cut elimination proof technique outlined in that paper. This restriction has been removed in 
the present version, and as such the cut elimination proof itself has consequently been significantly revised. 

The rest of the paper is organized as follows. Section 2 introduces the sequent calculus for the logic Line - . Sec- 
tion 3 shows some examples of using induction and co-induction to prove properties of list-related predicates and 
the lazy A.-calculus. Section 4 studies several properties of derivations in Line - that will be used extensively in the 
cut-elimination proof (Section 5). Section 6 surveys the related work and Section 7 concludes this paper. 

2 The Logic Line - 

The logic Line - shares the core fragment of FO\ A!N , which is an intuitionistic version of Church's Simple Theory 
of Types. Formulae in the logic are built from predicate symbols and the usual logical connectives _L, T, A, V, D, V t 
and 3 T . Following Church, formulae will be given type o. The quantification type x (omitted in the rest of the paper) 
can have base or higher types, but those are restricted not to contain o. Thus the logic has a first-order proof theory but 
allows the encoding of higher-order abstract syntax. 

We assume the usual notion of capture-avoiding substitutions. Substitutions are ranged over by lower-case Greek 
letters, e.g., 9, p and G. Application of substitution is written in postfix notation, e.g. 1 8 denotes the term resulting from 
an application of substitution 9 to t. Composition of substitutions, denoted by o, is defined as t (9 o p) = (/9)p. 

The whole logic is presented in the sequent calculus in Figure 1 . A sequent is denoted by F — ► C where C is a 
formula and T is a multiset of formulae. Notice that in the presentation of the rule schemes, we make use of HOAS, 
e.g., in the application Bx it is implicit that B has no free occurrence of x. In particular we work modulo a-conversion 
without further notice. In the Vs^. and 3l rules, y is an eigenvariable that is not free in the lower sequent of the rule. 
Whenever we write a sequent, it is assumed implicitly that the formulae are well-typed and in prolong normal forms: 
the type context, i.e., the types of the constants and the eigenvariables used in the sequent, is left implicit as well. The 
mc rule is a generalization of the cut rule that simplifies the presentation of the cut-elimination proof. 

We extend the core fragment with a proof theoretic notion of equality and fixed points. Each of these extensions 
are discussed below. 

2.1 Equality 

The right introduction rule for equality is the standard one, that is, it recognizes that two terms are syntactically equal. 
The left introduction rule is more interesting. The substitution p in eqx is a unifier of s and t . Note that we specify 
the premise of eqL as a set, with the intention that every sequent in the set is a premise of the rule. This set is of 
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Induction rules: 



BSy — >Sy T,St — >C 
T,pt — >C 



lL,px = Bpx — ' ^ i'A.,px = Bpx 



Co-induction rules: 



Bpt,T — >C v r — >S? Sy — >BSy v 

5-= — ClL,px = Bpx - z Cl%.,px = Bpx 

pt,l >C 1 > pt 

Fig. 1. The inference rules of Line - 
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course infinite, since for every unifier of (s,t), we can extend it to another unifier (e.g., by adding substitution pairs 
for variables not in the terms). However, in many cases, it is sufficient to consider a particular set of unifiers, which 
is often called a complete set of unifiers (CSU) [4], from which any unifier can be obtained by composing a member 
of the CSU set with a substitution. In the case where the terms are first-order terms, or higher-order terms with the 
pattern restriction [30], the set CSU is a singleton, i.e., there exists a most general unifier (MGU) for the terms. 
In examples and applications, we shall use a more restricted version of eqL using CSU: 

{rp — >cp | sp=^tp,pecsu(s,t)} 
s = t,r^c eqLcsu 

Replacing eqL with eqLcsu does not change the class of provable formulae, as shown in [56]. Note that in applying 
eqL and eqLcsu > eigenvariables can be instantiated as a result. Note also that if the premise set of eqL and eqLcsu 
are empty, then the sequent in the conclusion is considered proved. 

Our treatment of equality implicitly assumes the notion of free equality as commonly found in logic programming. 
More specifically, the axioms of free equality [9], that is, injectivity of function symbols, inequality between distinct 
function symbols, and the "occur-check" are enforced via unification in the eqL -rule. For instance, given a base type 
nt (for natural numbers) and the constants z : nt (zero) and s:nt^>nt (successor), we can derive Vx. z = (s x) D _L as 
follows: 

Z = (s x) — > _L 



(sx)D ± 



■ Vx. z = (s x) D _L 



Since z and s x are not unifiable, the eqL rule above has empty premise, thus concluding the derivation. We can also 
prove the injectivity of the successor function, i.e. VxVy.(s x) = (s y) D x = y. 

This proof theoretic notion of equality has been considered in several previous work e.g. by by Schroeder-Heister 
[51], and McDowell and Miller [25]. 



2.2 Induction and co-induction 

One way of adding induction and co-induction is to introduce fixed point expressions and their associated introduction 
rules, i.e. using the /j and v operators of the (first-order) /j-calculus. This is essentially what we shall follow here, but 
with a different notation. Instead of using a "nameless" notation using p and v to express fixed points, we associate a 
fixed point equation with an atomic formula. That is, we associate certain designated predicates with a definition. This 
notation is clearer and more convenient as far as our examples and applications are concerned. For the proof system 
using nameless notation for inductive and co-inductive predicates, the interested reader is referred to a recent work by 
Baelde and Miller [5]. 

Definition 1. An inductive definition clause is written\/x.px = Bx, where p is a predicate constant and x is a sequence 
of variables. The atomic formula px is called the head of the clause, and the formula Bx, where B is a closed term, 
is called the body. Similarly, a co-inductive definition clause is written \/x.px = Bx. The symbols = and = are used 
simply to indicate a definition clause: they are not a logical connective. A definition is a set of definition clauses. 

It is technically convenient to bundle up all the definitional clause for a given predicate in a single clause, so that 
a predicate may occur only at most once in the heads of the clauses of a definition, following the same principles of 
the iff-completion in logic programming [50]. Further, in order to simplify the presentation of some rules that involve 
predicate substitutions, we sometimes denote a definition using an abstraction over predicates, that is 

Vx. px = Bpx 

where B is an abstraction with no free occurrence of predicate symbol p and variables x. Substitution of p in the 
body of the clause with a formula S can then be written simply as BSx. When writing definition clauses, we often 
omit the outermost universal quantifiers, with the assumption that free variables in a clause are universally quantified 
(such variables will often be denoted with capital letters). We shall write Vx. px = Bpx to denote a definition clause 
generally, i.e., when we are not interested in the details of whether it is an inductive or a co-inductive definition. 



4 



The introduction rules for (co-)inductively defined atoms are given at the bottom of Figure 1 . The abstraction S is 
an invariant of the (co-)induction rule, which is of the same type as p. The variables y are new eigenvariables. For the 
induction rule l£ , S denotes a pre-fixed point of the underlying fixed point operator. Similarly, for the co-induction rule 
CIl, S can be seen as denoting a post-fixed point of the same operator. Here, we use a characterization of induction 
and co-induction proof rules as, respectively, the least and the greatest solutions to a fixed point equation. To guarantee 
soundness of these rules, we shall restrict the (co)inductive definitions to ones which are monotone. In this case, the 
Knaster-Tarski fixed point theorems tell us that the existence of a pre-fixed point (respectively, post-fixed point) implies 
the existence of a least (resp., greatest) fixed point. Monotonicity is enforced by a syntactic condition on definitions, as 
it is used for the logic FO\ A]N [25]: we rule out definitions with circular calling through implications (negations) that 
can lead to inconsistency [49]. The notion of level of a formula allows us to define a proper stratification on definitions. 

Definition 2. To each predicate p we associate a natural number lvl(/?), the level of p. Given a formula B, its level 
lvl(B) is defined as follows: 

1. M(pT)=M(p), 

2. lvl(_L) = lvl(T) = 0, 

3. lvl(BAC) =lvl(BVC) =max(lvl(B),lvl(C)) 

4. M(B DC)= max(lvl(B) + l,lvl(C)) 

5. lvl(Vx. Bx) = 1v1(3jc. Bx) = \\\(Bt), for any term t. 

The level of a sequent F — > C is the level of C. A formula B is said to be dominated by a predicate symbol p, if 
lvl(B) < lvl(/?) and \v\(B[Xx.T / p]) < \v\(p), where Xx.T is of the same type as p. A definition clause Vx. px = Bx is 
stratified ifBxis dominated by p. 

Note that when p is vacuous in B and p dominates B, we obviously have lvl(B) < lvl(/?). 

From now on, we shall be concerned only with stratified definitions. An occurrence of a formula A in a formula C 
is strictly positive if that particular occurrence of A is not to the left of any implication in C. Stratification then implies 
that all occurrences of the head in the body are strictly positive, and that there is no mutual recursion between different 
definition clauses. This restriction to non-mutual recursion is just for the sake of simplicity in the presentation of 
the underlying idea of the cut elimination proof. This proof (Section 5) can be extended to handle mutually recursive 
definitions with some straightforward, albeit tedious, modifications. In the first-order case, the restriction to non-mutual 
recursion is immaterial, since one can easily encode mutually recursive predicates as a single predicate with an extra 
argument. For example, consider the following mutual recursive definitions for even and odd numbers. 



We can collapse these two definition clauses into a single one, with a parameter that takes a constant e (for 'even') or 



evenX =X =zV3y.y = (sX)Aoddy. 
odd X = 3y.y = (s X) A even y. 



o (for 'odd'): 



evodWX = [W 
[W 



eA(X=zV3y.y= (s X) Aevod o y)\ V 
o A (Ely. y — (s X) A evod ey)]. 



We then define even and odd as follows: 



even X = evod e X. 
oddX = evod oX. 



This definition can be stratified by assigning levels to the predicate symbols such that 



lv\(evod) < lvl(even) < \v\(odd). 



3 Examples 



We now give some examples, starting with some that make essential use of HOAS. 
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3.1 Lazy A,-Calculus 



We consider an untyped version of the pure A.-calculus with lazy evaluation, following the usual HOAS style, i.e., 
object-level ^.-operator and application are encoded as constants lam : {tm — ► tm) — > t m and @ : tm — > fm — > f m, where 
is the syntactic category of object-level X-terms. The evaluation relation is encoded as the following inductive 
definition 

MJJJV = [3M'. (M = lamM') A (M = N)] V 

[3Mi3M 2 3P. (M = Mi @M 2 ) AM, J|lamPA (PM 2 ) ij-N] 

Notice that object-level substitution is realized via P-reduction in the meta-logic. 

The notion of applicative simulation of ^-expressions [1] can be encoded as the (stratified) co-inductive definition 

sim RS = W. flj|lamr D 3U. SJJTamt/ A VP. sim {TP) {UP). 

Given this encoding, we can prove the reflexivity property of simulation, i.e., V*. sim s s. This is proved co-inductively 
by using the simulation hcXy. x = y. After applying \/2£. and Cl2£., it remains to prove the sequents — ► s = s, and 

x = y — ► \/x\. x^-lwvxi D (3x2. larrup A Vx^-fax^) = {x 2 xj)) 
The first sequent is provable by an application of eq'Jl rule. The second sequent is proved as follows. 

zij-lamxi — ► {xix 3 ) = (xi* 3 ) 
init —-, r. — ; : ; r V3L 



zJJ-lamxi — >z|U amx i zj].lamxi — >Vx3.(xix3) = {xix-}) 

A3J. 

z^lamxi — > [zij-lamxi AVx3.(xiX3) = (X1X3)) 

zJ|lamxi — > (3x2.z-IJ-lamx2 AVx3.(xiX3) = {x 2 x-})) 

eqL 

x — y.xJJ-lamxi — > (3x2.yij-lamx2AVx2.(x\X3) = fex 3 )) 
. ^ 

x = y — > x-lj-lamxi 3 (3x2.y-IJ.lamx2 A Wx^.ixix^) = fex 3 )) 

V^, 

x = y — > Vxi.xJJ-lamxi D (3x2-y-U-lamx2 A Vx3.(xiX3) = (X2X3)) 



The transitivity property is expressed as VrVsVf.sim r s A sim s t D sim r t. Its proof involves co-induction on 
sim r t with the simulation \u\v.3w.sim uw A sim w v, followed by case analysis (i.e., defL and eqL rules) on sim r s 
and sim s t. The rest of the proof is purely logical. 

We can also show the existence of divergent terms. Divergence is encoded as follows. 

divrg T = [37i3r 2 - T = [T\@ T 2 ) Adivrg 7i] V 

[37] 3T 2 .T = (7i @T 2 ) A 3E. 7i ^lam£ A divrg (E T 2 )} . 

Let Q. be the term (lamx.(x@x)) @ {lamx.{x@x)). We show that divrg D. holds. The proof is straightforward by co- 
induction using the simulation S := Xs. s = £1. Applying the CI^. produces the sequents — > Q. = £l and T = Q. — ► 
Si V S 2 where 

Si :=3Ti3T 2 .T = {Ti@T 2 )A{STi), and 

S 2 :=3Ti3T 2 .T = {Ti@T 2 )A3E. T t 4|lam£ AS (E T 2 ). 

Clearly, only the second disjunct is provable, i.e., by instantiating T\ and T 2 with the same term lamx.(x@x), and E 
with the function Xx.{x@x). 



3.2 Lists 

Lists over some fixed type a are encoded as the type 1st, with the usual constructor nil : 1st for empty list and :: of type 
a — > 1st — > 1st. We consider here the append predicate for both the finite and infinite case. 
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Finite lists The usual append predicate on finite lists can be encoded as the inductive definition 

app Li L 2 L 3 £ [{L\ = nil) A (L 2 = L 3 )} V 

[3x31,; 3L 3 . (Li = x::L[)A(L 3 = x::ti i ) Aapp L\ L2Z.3]. 

Associativity of append is stated formally as 

V/iV/ 2 V/i2V/ 3 V/4.(app /i fa /12 Aapp fa h k) 3 Vfa 3 .app fa '3 '23 3 app l\ fa k- 

Proving this formula requires us to prove first that the definition of append is functional, that is, 

V/iVfaVfaV/4.app l\ fa fa Aapp l\ fa kD h = k- 

This is done by induction on l\, i.e., we apply the lL rule on app l\ fa l 3 , after the introduction rules for V and D, of 
course. The invariant in this case is 

S := A.nA,r 2 A,r3.Vr.app r\ r 2 r D r = r 3 . 

It is a simple case analysis to check that this is the right invariant. Back to our original problem: after applying the 
introduction rules for the logical connectives in the formula, the problem of associativity is reduced to the following 
sequent 

app h fa hi, app hi h k, app fa h fa — > app l\ fa k. (1) 

We then proceed by induction on the list l\, that is, we apply the \L rule to the hypothesis app l\ fa hi- The invariant 
is simply 

S := AfaAfaAin.VfaVZ4.app fa h k 3 VZ 2 3.app fa h fa 3 app l\ fa I4. 
Applying the lL rule, followed by VX, to sequent (1) reduces the sequent to the following sub-goals 

(z) S h fan, app fa h k, app h h fa — > app l\ fa k, 

(ii) (h =nilA/ 2 = /3) — > 5/1/2/3, 

(Hi) 3x,l[,l' 3 .h =x::l[Ah =x::l' 3 AS l[ fa/3 — >Sl\hh 

The proof for the second sequent is straightforward. The first sequent reduces to 

app /12 h /4,app /12 h fa — > app nil fa3 14. 

This follows from the functionality of append and 1^.. The third sequent follows by case analysis. Of course, these 
proofs could have been simplified by using a derived principle of structural induction. While this is easy to do, we 
have preferred here to use the primitive lL rule. 

Infinite lists The append predicate on infinite lists is defined via co-recursion, that is, we define the behavior of 
destructor operations on lists (i.e., taking the head and the tail of the list). In this case we never construct explicitly the 
result of appending two lists, rather the head and the tail of the resulting lists are computed as needed. The co-recursive 
append requires case analysis on all arguments. 

coapp L\ L 2 L3 = \(L\ = nil) A (L 2 = nil) A (L 3 = nil)] V 

[(Li =nil) A3x3L' 2 3L' 3 . (L 2 = x::L' 2 ) A (Li =x::L' i ) A coapp nil L' 2 L' 3 ] V 
[3x3L[3L' 3 . (L { =x::L[)A(L 3 =x::L' 3 ) A coapp L\ L 2 L' 3 }. 

The corresponding associativity property is stated analogously to the inductive one and the main statement reduces to 
proving the sequent 

coapp l\ l 2 /12, coapp /i 2 l 3 k, coapp fa l 3 fa — ► coapp l\ fa I4. 
We apply the Cl^ rule to coapp l\ fa k, using the simulation 

5 := WiW 2 Wi2- 3/ 2 3 3fa 3fa. coapp /12 l 3 k A coapp fa l 3 fa A coapp l\ fa I4. 

Subsequent steps of the proof involve mainly case analysis on coapp /12 l 3 k- As in the inductive case, we have to prove 
the sub-cases when /12 is nil. However, unlike in the former case, case analysis on the arguments of coapp suffices. 
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4 Properties of derivations 



We discuss several properties of derivations in Line - . Some of them involve transformations on derivations which 
will be used extensively in the cut-elimination proof in Section 5. Before we proceed, some remarks on the use of 
eigenvariables in derivations are useful. In proof search involving V^., 3x l£, Cl^ or eqi, new eigenvariables can be 
introduced in the premises of the rules. Let us refer to such variables as internal eigenvariables, since they occur only 
in the premise derivations. We view the choice of such eigenvariables as arbitrary and therefore we identify derivations 
that differ only in the choice of the eigenvariables introduced by those rules. Another way to look at it is to consider 
eigenvariables as proof-level binders. Hence when we work with a derivation, we actually work with an equivalence 
class of derivations modulo renaming of internal eigenvariables. 

4.1 Instantiating derivations 

The following definition extends substitutions to apply to derivations. Since we identify derivations that differ only in 
the choice of variables that are not free in the end-sequent, we will assume that such variables are chosen to be distinct 
from the variables in the domain of the substitution and from the free variables of the range of the substitution. Thus 
applying a substitution to a derivation will only affect the variables free in the end-sequent. 

Definition 3. If II is a derivation ofT — ► C and is a substitution, then we define the derivation 110 of T0 — ► C0 
as follows: 

1. Suppose II ends with the eqL rule 



where sp tp. Observe that any unifier for the pair (s0,f0) can be transformed to another unifier for (s,t), by 
composing the unifier with 0. Thus 110 is 



where s0p' =p r| f0p'. 

2. If II ends with any other rule and has premise derivations III , . . . , Yl n , then 110 also ends with the same rule and 
has premise derivations Ili0, . . . ,I1„0. 

Among the premises of the inference rules of Line - , certain premises share the same right-hand side formula with 
the sequent in the conclusion. We refer to such premises as major premises. This notion of major premise will be 
useful in proving cut-elimination, as certain proof transformations involve only major premises. 

Definition 4. Given an inference rule R with one or more premise sequents, we define its major premise sequents as 
follows. 

1. IfR is either D L,mc or lL, then its rightmost premise is the major premise 

2. IfR is GX then its left premise is the major premise. 

3. Otherwise, all the premises ofR are major premises. 

A minor premise of a rule R is a premise of R which is not a major premise. The definition extends to derivations by 
replacing premise sequents with premise derivations. 

The following two measures on derivations will be useful later in proving many properties of the logic. Given a set 
of measures S, we denote with lub(5) the least upper bound of 5. 

Definition 5. Given a derivation II with premise derivations {fl,},-, the measure ht(Il) is lub({ht(Ilj)};) + 1. 




f n eo P ' 1 

\r'0p' — >c0p'j 



s0 = f0,r'0 — >cq 
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Definition 6. Given a derivation II with premise derivations {n,},-, the measure indm(n) is defined as follows 



indm(n) 



f lub({indm(n,)} ( ) + 1, if II ends with iL, 
\ lub({indm(n,)}j), otherwise. 



Note that given the possible infinite branching of eqX rule, these measures in general can be ordinals. Therefore 
in proofs involving induction on those measures, transfinite induction is needed. However, in most of the inductive 
proofs to follow, we often do case analysis on the last rule of a derivation. In such a situation, the inductive cases for 
both successor ordinals and limit ordinals are basically covered by the case analysis on the inference figures involved, 
and we shall not make explicit use of transfinite induction. 

Lemma 1. For any substitution and derivation II ofF — ► C, 110 is a derivation of T0 — ► C0. 

Proof. This lemma states that Definition 3 is well-constructed, and follows by induction on ht(n). □ 

Lemma 2. For any derivation II and substitution 0, ht(n) > ht(I10) and indm(n) > indm(I10). 

Proof. By induction on ht(n). The measures may not be equal because in the case where the derivation ends with the 
eqi rule, some of the premise derivations of II may not be needed to construct the premise derivations of 110. □ 

Lemma 3. For any derivation II and substitutions and p, the derivations (I10)p and 11(0 o p) are the same deriva- 
tion. 

Proof. By induction on the measure ht(n). □ 



4.2 Atomic initial rule 

It is a common property of most logics that the initial rule can be restricted to atomic form, that is, the rule 

— ink 

pt — ► pt 

where p is a predicate symbol. The more general rule is derived as follows. 

Definition 7. We construct a derivation Idc of the sequent C — ► C inductively as follows. The induction is on the 
size of C. If C is an atomic formula we simply apply the atomic initial rule. Otherwise, we apply the left and right 
introduction rules for the topmost logical constant in C, probably with some instances of the contraction and the 
weakening rule. 

The proof of the following lemma is straightforward by induction on ht(Idc). 

Lemma 4. For any formula C, it holds that indm(Idc) = 0. 

Restricting the initial rule to atomic form will simplify some technical definitions to follow. We shall use Id instead 
of Idc to denote identity derivations since the formula C is always known from context. 



4.3 Unfolding of derivations 

Definition 8. Inductive unfolding. Let px = Bpx be an inductive definition. Let II be a derivation ofT — ► C where 
p dominates C. Let S be a closed term of the same type as p and let lis be a derivation of the sequent 

BSx — >Sx 

where x are new eigenvariables not free in F and C. We define the derivation /U c (n, lis) ofF — ► C[S/p] as follows. 
If p is vacuous in C, then f^(H, lis) = n. Otherwise, we define /J c (n, lis) according to the last rule ofFl. 



9 



1. Suppose II ends with ink 

Then ^£(11,11,$) is the derivation 

2. Suppose II ends with D L 

Then p^(Yl,Yls) is the derivation 

3. Suppose II ends with D 'J{_ 



— - mit 

pt — > pt 

U s Id 

BSx — >Sx St — >St 

pt — >St 

iii n 2 

r — >Di p^r— >c 
d 1 dd 2 ,t'^c DL 

r^Di D 2 ,T'^C[S/p] 
Di D D 2 ,T I — > C[S/ p] 



D L 



n' 

r,Ci -^c 2 



3^ 



r — > C\ d c 2 

Note that since p dominates C, it must be the case that p does not occur in C\. The derivation ^(11, lis) is then 
defined as follows. 

T,C x 2 ^C 2 [S/p] 



A&(n',n s ) 



r^dDC 2 [s/p] 

4. Suppose II ends with mc 



3t 



mc 



ni n m n' t 

Ai — >B\ ... A m — >B m Bj,...,B m ,r — > C 
A, \„,.l' C 

Then p^(Yl,Yls) is 

nt u m A£(n',n s ) 

Ai— »Bi ... A m ^B m B h ...,B m ,r' -^C[S/p] 
Ai,...,A m ,r v — »C[S/p] 
5. Suppose II encfc wif/t Ii on some predicate q given a definition clause qz = Dqz. 

y n' 

Diz — >n it,r' — >c 



Then ^£(11,11$) is the derivation 



6. Suppose II ends with 



Then p^(Yl,Yls) is the derivation 



qt,F' >C 

Diz — >Iz It,P — >C[S/p] 
qt,T'^C[S/p] 

n' 

r — >B P t 

— ISL- 

r^pt 

4 P (n'Vs) ii s \t/x\ 
r — >bs7 bs7 — >st mc 
r — >st 
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7. IfH ends with any other rules, and has premise derivations 



{rAc ! } i 



for some index set I, then /j^(Yl 7 Yls) also ends with the same rule and has premise derivations {^.(Jli,Y\s)}iei- 

Definition 9. Co-inductive unfolding. Let px = B px be a co-inductive definition. Let S be a closed term of the same 
type as p and let 11$ be a derivation of 

Sx — > BSx. 

Let C be a formula dominated by p, and let Tlbe a derivation ofT > C[S/ p]. We define the derivation v£(n,ris) of 

r — > C as follows. 

If p is vacuous in C, then V^(Yl,Yls) = II. IfC = pi then C[S / p] = ST andv^(Yl 7 Yls) is the derivation 



Cl'Ji. 



n YI S 

T — >St Sx — >BSx 

r — > P T 

Otherwise, we define V^(Yl 7 Yls) based on the last rule in II. 
1. Suppose II ends with D L 

ni n 2 

F'^Dr D 2 ,T'^C[S/p\ 

D L 



Then V^(Yl 7 Yls) is the derivation 



2. Suppose II ends with D 



ni v£(n 2 ,n s ) 
r — >D X d 2i t' — >c 
D\ d d 2 ,f' — ► c 



D L 



n' 

r,Ci -^c 2 [s/ P ] 
r-(d3C 2 )[s/ P ] D ^ 

Note that since p dominates C, it must be the case that p is vacuous in C\. Therefore we construct the derivation 
v£(n,n s ) as follows. 

< 2 (n',n s ) 
r,Ci -^c 2 



■CiDC 2 



3. Suppose II ends with mc 



ni n m n' 

Ai— >Ji ... A m ^B m B h ...,B m ,T' — >C[S /p] 
Ai,...,A m ,r'— »C[5/p] 

Thenv p c {n,n s ) is 

ni n m v£(n',n 5 ) 

Ai— »Bi ... A,„ — > B m Bi,...,B m ,r' — >C 

; mc 

Ai,...,A m ,r'^C 

4. Suppose II enafs vv/f/i Ii on a predicate qt, given an inductive definition qz=^ Dqz. 



mc 



y n' 

DIz — >Iz It,P — >C[S/p] 

qt,T'^C[S/p] U 
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Then v£(n,ris) is the derivation 

^ v£(n',n s ) 

DIz — >Iz It,T' — >C 
qt,P — >C 

5. If TI ends with any other rules, and has premise derivations 



IL 



n, 

Ti^Ci[S/p] 

for some index set I , then V^,(J\,Y\s) also ends with the same rule and has premise derivations {v^(Yli,Yls)}iei ■ 

The following two lemmas state that substitutions commute with unfolding of derivations. Their proofs follow 
straightforwardly from the fact that the definitions of (co-)inductive unfolding depend only on the logical structures of 
conclusions of sequents, hence is orthogonal to substitutions of eigenvariables. In these lemmas, we assume that the 
formulas C, p and derivations II and II5 satisfy the conditions of Definition 8 and Definition 9. 

Lemma 5. The derivations p^(Yl,Yls)Q and p^(UQ,Yls) are the same derivation. 

Lemma 6. The derivations v£(n,n$)8 and v£(n8,n s ) are the same derivation. 



5 Cut elimination for Line 

A central result of our work is cut-elimination, from which consistency of the logic follows. Gentzen's classic proof 
of cut-elimination for first-order logic uses an induction on the size of the cut formula, i.e., the number of logical 
connectives in the formula. The cut-elimination procedure consists of a set of reduction rules that reduce a cut of a 
compound formula to cuts on its sub-formulae of smaller size. In the case of Line - , the use of induction/co-induction 
complicates the reduction of cuts. Consider for example a cut involving the induction rules 

it n B n 

A — >Bpt BSy — >Sy St,F — >C 

A — > pt pt,T — >C 

mc 



A,r — >c 

There are at least two problems in reducing this cut. First, any permutation upwards of the cut will necessarily involve 
a cut with S that can be of larger size than p, and hence a simple induction on the size of cut formula will not work. 
Second, the invariant S does not appear in the conclusion of the left premise of the cut. The latter means that we need 
to transform the left premise so that its end sequent will agree with the right premise. Any such transformation will 
most likely be global, and hence simple induction on the height of derivations will not work either. 

We shall use the reducibility techniques to prove cut elimination. More specifically, we shall build on the notion 
of reducibility introduced by Martin-Lof to prove normalization of an intuitionistic logic with iterative inductive defi- 
nition [24]. Martin-Lof's proof has been adapted to sequent calculus by McDowell and Miller [25], but in a restricted 
setting where only natural number induction is allowed. Since our logic involves arbitrary stratified inductive defi- 
nitions, which also includes iterative inductive definitions, we shall need a more general cut reductions. But the real 
difficulty in our case is really in establishing cut elimination in the presence of co-inductive definitions, for which there 
is no known cut elimination proof for the sequent calculus formulation. 

The main part of the reducibility technique is a definition of the family of reducible sets of derivations. In Martin- 
Lof's theory of iterative inductive definition, this family of sets is defined inductively by the level of the derivations they 
contain. Extending this definition of reducibility to Line - is not obvious. In particular, in establishing the reducibility 
of a derivation S ending with a CI^. rule: 

n U s 

T — >St Sx — >BSx _ ^ v 
r ; ~ Cl^,px = Bpx 
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one must first establish the reducibility of its premise derivations. But a naive definition of reducibility for E, i.e., a 
definition that postulates the reducibility of E from the reducibility of its premises, is not a monotone definition, since 
the premise derivations of E may be derivations that have a higher level than E. 

To define a proper notion of reducibility for the co-inductive cases, we use a notion of parametric reducibility, 
similar to that used in the strong normalisation proof of System F [19]. The notion of a parameter in our case is 
essentially a coinductive predicate. As with strong normalisation of System F, these parameters are substituted with 
some "reducibility candidates", which in our case are certain sets of derivations of a co-inductive invariant which 
we call saturated sets. Let us say that a derivation *P has type B if its end sequent is of the form T — ► B, for some 
r. Roughly, a parametric reducibility set of type C, under a parameter substitution [S/p], where p is a co-inductive 
predicate and S is an invariant of the same type as S, is a certain set of derivations of type C[S/p] satisfying some 
closure conditions which are very similar to the definition of reducibility sets, but without the co-inductive part. The 
definition of reducibility in the case involving co-induction rules, e.g., as in the derivation E above, can then be defined 
in terms parametric reducibility sets, under appropriate parameter substitutions. Details of the definition will be given 
later in this section. 



5.1 Cut reduction 

We follow the idea of Martin-L6f in using derivations directly as a measure by defining a well-founded ordering on 
them. The basis for the latter relation is a set of reduction rules (called the contraction rules in [24]) that are used to 
eliminate the applications of the cut rule. For the cases involving logical connectives, the cut-reduction rules used to 
prove the cut-elimination for Line - are the same to those of FO\ A!N . The crucial differences are in the reduction rules 
involving induction and co-induction rules. 

Definition 10. We define a reduction relation between derivations. The redex is always a derivation E ending with the 
multicut rule 

ni u„ n 

Ai— >Bi ••• A n ^B„ fl 1 ,...,B II ,r— »C 



Ai,...,A„,r- 



mc 



We refer to the formulas B\,...,B n produced by the mc as cut formulas. 
If n — 0, S reduces to the premise derivation FL 

For n > we specify the reduction relation based on the last rule of the premise derivations. If the rightmost 
premise derivation II ends with a left rule acting on a cut formula B„ then the last rule of Hi and the last rule of TI 
together determine the reduction rules that apply. We classify these rules according to the following criteria: we call 
the rule an essential case when II, ends with a right rule; if it ends with a left rule, it is a left-commutative case; if 
Hi ends with the ink rule, then we have an axiom case; a multicut case arises when it ends with the mc rule. When 
II does not end with a left rule acting on a cut formula, then its last rule is alone sufficient to determine the reduction 
rules that apply. IfH ends in a rule acting on a formula other than a cut formula, then we call this a right-commutative 
case. A structural case results when Ft ends with a contraction or weakening on a cut formula. If TI ends with the ink 
rule, this is also an axiom case; similarly a multicut case arises ifH ends in the mc rule. 

For simplicity of presentation, we always show i = 1. 

Essential cases: 
A^/AX: IfHi and Yl are 

ni n» n' 

Ai— Ai— >gy g' 1 , J B 2 ,---,fr,,r— >c 

Ai — >B[AB'( A ^ B\AB'(,B 2 ,...,B n ,T^C AL , 



then E reduces to 



n 'i n 2 n„ n' 

Ai — >B[ A 2 — >B 2 ■■■ A n — >B„ B' v B 2 ,...,B n ,r — >C 



Ai,...,A„,r — >C 
The case for the other t\L rule is symmetric. 



mc 
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V'Jl/VL: If Yli and II are 



n; ^ n' n" 

— *B 1 B,,B 2 , ■ ■ ■ ,B n ,T — >C B, ,B 2 , ■ ■ ■ ,B n ,T — >C 

v«L — ^t—^tt. ^ vx 



Ai — ►BjVBl' B , 1 VB'/,B 2 ,...,B«,r^C 
f/ien S reduces to 

n 'i n 2 n„ n' 

Ai^g; A 2 ^B 2 ■■■ K^ B n B' v B 2 ,...,B n ,r^C 

A. A„,r 



mc 



77ze case for the other V^. rwZe w symmetric. 
D D L : Suppose Yl\ and II are 



n 'i ^ n' / ^ n" 

Bj,Ai — >Z?j B2,...,B n ,T — >B l B l ,Z?2, • • • ,B„,T — >C 



3^ tt—^t^ ^ 3X 



Lef Si foe 



A] — ► D B'( B\ D B'[,B 2 , ■ ■ ■ ,B„,T — ► C 



n, , n , 

Al " ' SiJ /e{2..n} B 2 ,...,B n ,F^B[ n' 



mc 



A2,...,A„,r— ^ff g;,Ai -^g'/ 

Ai,...,A„,r^B'/ 



mc 



Then S reduces to 



Si <^ n '' L n" 

^ < l A - B ') -e{2.. n} g, {g,-},- e{2 „ B} ,r — > c mc 
Ai,...,A„,r,A 2 ,...,A n ,r — >c 

Ai,...,A„,r — >c cx 

We use the double horizontal lines to indicate that the relevant inference rule ( in this case, cL ) may need to be 
applied zero or more times. 
Vi^/Vx: If III andUare 

n; n' 

Ai -^B\[y/x] B\[t/x],B 2 ,...,B n ,T^C 
Ai — >\fx.B[ ^ Vx.B[,B 2 ,...,B n ,r — >C yL , 

then S reduces to 

n[[t/ y ] |.^ B } n' 

Ai >B\[t/x] t & i >1S i)ie{2..n} ... — >C 

Ai,...,A„,r — >C 



mc 



3% i j3L: If Ui and U are 

n'i n' 

Ai — > B\ [t/x] B\ \y/x],B 2 , . . . ,B„,T — > C 

T 3?? ; 3L 

Ai — dx.B / 1 ,B 2 ,...,B„,r — >C 

then S reduces to 

n'i n'[ f / y ] 

Ai — ► ... B' 1 [f/x],B 2 ,...,r — >C 



Ai,...,A„,r — >c 



mc 
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* j\L : Suppose II is the derivation 



n s n' 

DSx — >Sx St,B 2 ,...,B n ,r — >C 



pt,B 2 , ■ ■ ■ ,B„,r — ► c 



IL 



where px = B px. Then E reduces to 



A] — >St 



n' 

St, . . . ,B n ,T — ► C 



Ai,...,A„,r — >c 



mc 



Cl%_ I CIl : Suppose II i and II are 

n' 



11 Us 

Ai — >S? — >DSx 
Ai — ► /?? 



Cl£ 



n' 

DpT,...,r — >c 
p7,...,r — >c 



CIL 



Let Ei foe f/ze derivation 



Then E reduces to 



n; n s [F/x] 

Ai — >SF 5? — >DSf 



Ai — >£>Sf 



mc 



v£ p (Si,n s ) r n . 



Ai — >Dpt [Aj — >Bj) je{2 ^ } Dpt,...,F 



n' 



Ai,...,A„,r — >c 



mc 



eq^/eqx: Suppose Tli and Tl are 



Ai — ► s = r 



YIP 

B 2 p,...,B n p,Tp — >Cp 
s = t,B 2 ,...,B„,r^C 



Then by the definition o/eq^. rule, s andt are equal terms (modulo X-conversion), and hence are unifiable by the 
empty substitution. Note that in this case Il £ £ {n p } p . Therefore E reduces to 



[Ai — >Bi) ie{2 n} 



b 2 , ■ ■ ■ ,B n ,r — ► c 



A 2 ,...,A„,r— >c 

Ai,A 2 ,...,A„,r — >c 



mc 



WL 



Left-commutative cases: In the following cases, we suppose that II ends with a left rule, other than {cL 7 w£,Il}, 
acting onB\. 



*L I o l: Suppose II i is 



A\ — B, 



•L 



Ai — >Bi 

where •£ is any left rule except D L, eqi, or \L. Then E reduces to 



n 

je{2..n] B u ...,B n ,r — >C 



A'A 2 ,...,A„,r — >c 



mc 



Ai,A 2 ,...,A„,r — >C 



•L 
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D X J o X : Suppose Y\\ is 



n' 



n'/ 



Lef Ei fee 



r/zen S reduces to 



n 2 n„ n 

D'[,A\ — >Z?i A 2 ^B 2 ■■■ A„^B„ B u ...,B n ,r^C 



D?,A' 1 ,A 2 ,...,A I .,r — C 



mc 



A' 1 ,A 2 ,...,A„,r — >D'j D'/,A' 1 ,A 2 ,...,A„,r — >C 

D[ DD'(,A> l ,A 2 ,...,An,r^C 



Ix/ o x : Suppose II i is 



DSx — >Sx 5F,A'j — >B] 



where px = D px. Let Si be 



n', 



m n„ n 

S7,A'!— >fli ... A n ^B n B h ...,B n ,T 
St,A[,A 2l ...,A rh T — >C 



mc 



r/zen S reduces to 



eqx/ ox: Suppose II i is 



then S reduces to 



U s Si 

DSx — >Sx 5f,A' 1 ,...,A„,r- 

p?,A' 1 ,...,A„ — >C 



IX 



( nf 1 

\A^p-^Bip/ 

s = t,A\ — >Bi 



eqx 



np 



Cp 



A;p,A 2 p,...,A„p,rp — >cp 



mc 



s = f,A' l7 A 2 ,...,A„,r — >C 



eqx 



Right-commutative cases: 
— I o l: Suppose II is 



fil, . . . ,B n ,T l — ► C 
Bi, . . . ,B„,T — ► C 



ox 



where ox is any Ze/f rule other than D X, eqx, or l£ acting on a formula other than B\,...,B n . The derivation S 
reduces to 



rii 

Ai -^B| 



n„ rr 

A n — >-B„ gi,...,g n; r' 

Vi,...,A,i,r<— »C 
Ai,...,A„,r — >c 



mc 



oL 
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-/ D L : Suppose II is 



Lef Si foe 



and Z2 be 



Then E reduces to 



-j\L\ Suppose II is 



w/iere px = D px. Let E\ be 



n' / ^ n" 

B\, . . . ,B n ,P — > D 1 Bi,... ,B n ,D" ,T' — ► C 



B u ...,B n ,D'DD",r' — C 



ni n„ n' 

Ai— »Bi ••• A n ^B„ B u ...,B n ,T> ^D> 



n. 



Ai,...,A„,r'^D' 

n„ n" 



Ai— -+B1 ■■■ A n ^B n B u ...,B„,D",r 
A h ...,A n ,D",r' -^C 



-1 -2 

Ai, . . . , A„,r — > zy Ai , . . . , A n ,p",r' — + c 

A u ...,A n ,D'DD"X 



mc 



mc 



D L 



n s n' 

DSx — >Sx Bi,...,B n ,St,P — >C 
B\,... ,B n ,pt,T' — ► C 



IL 



iii n„ n' 

Ai— ■■■ A„^g„ gi,..., J B„,Sf,I v — >c 

Ai,...,A B ,s?,r'— 



mc 



T/zen E reduces to 



— /eqi: 7/T1 is 



f/ten E reduces to 



-/oil: IfYlis 



U S E 

DSx — >Sx A l ,...,A n ,St,r' — >C 

A u ...,A„,pt,r' — >c 



IL 



np 

gip,..., J B„p,I v p— >Cp 

Bi,...,s„,s = r,r'^c 



np 



A,p — -> Bfp J n} g . p >r y p _^ Cp 
Aip,...,A„p,r'p — >Cp 

Ai,...,A„,s = ?,r' — >c 



mc 



it 

gi,...,g B ,r-^c i 

Bi,... ,B n ,T — > C 
w/zere is any rig/if raie except CI??., f/?en S reduces to 



o3L 



ni n„ rr 

Ai— >fli ■■■ A n ^B n B h ...,B n ,r — >C' 
Ai,...,A„,P — >C"' 

Ai,...,A„,r — >c 



mc 



03^ 



17 



-/CL^.: Suppose II is 

n' U s 

Bi,...,B n ,T — >St Sx — >DSx 

- CI*. 



Bi,...,B n ,r — ► pt 



where px = D px. Let Z\ be 



mc 



ni n„ n' 

Ai— >fli ■■■ A„ — >£„ fli,...,g„,r — >ST 
Ai,...,A„,r — >Sf 

r/zen S reduces to 

Si n s 

Ai,...,A„,r — >SF Sx — >DSx 
=; CI*. 

Ai,...,A„,r — > pt 

Multicut cases: 

mc/ o L : If II ends with a left rule, other than cL, wL and lL, acting on B\ andW\ ends with a multicut and reduces 
to n'j, then S reduces to 

n 'i n 2 n„ n 

Ai— »Bi A 2 —>B 2 ■■■ A n —>B n B u ...,B n ,F^C 



Ai,...,A„,r — >c 

/mc: Suppose II is 

IF 



mc 



{Bi} ieIj ,rJ -^D'j MLm} {D i } {Bi} . eI ,f ^ c 

i mc 

B\,...,B n ,r ,...,r m ,r — >c , 

where I 1 ,... ,I m , I' partition the formulas {B,'}; G {i..„} among the premise derivations Yl\, Il m ,n'. For 1 < j < m 
let E' be 

n, ) nJ 

|A,— B,J <6/ , {B . }jijh V j 



mc 



Then S reduces to 



{A,-} j6/ ,,iv— 



Ai,...,A B ,r 1 ,...r»,r v — »c 



— mc 



Structural cases: 
-/cx: //II is 

f/zen S reduces to 



w 

B u Bi,B 2 ,...,B„,r — >C 
B h B 2 ,...,B n ,T — >C 



CX 



Ai^B] l A '' yB ')ie{i..n} 



Ai,Ai,A 2 , . . . ,A„,A„,r — > C 
Ai,A 2 ,...,A„,r — >c 



B\,B\,B 2 , . . . ,B n ,r — ► C 

mc 
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-/wl: If Tl is 

n' 

B 2 , • • • ,B„,T — ► C 
B\,B 2 ,...,B n ,Y — >C , 

then E reduces to 

n 2 n„ n' 

a 2 ~^b 2 ... A n ^B„ B 2 ,...,B n ,T^ C 

A 2 ,...,A„,r — >c 



mc 



Ai,A 2 ,...,A„,r — >C 
Axiom cases: 

ink/ o l: Suppose Tl enc/s wif/z a left-rule acting on B\ and Tl\ ends with the ink rule. Then it must be the case that 
Ai = {B\ } and E reduces to 

n 2 n„ n 

A 2 ^B 2 ■■■ K^B n B 1 ,B 2 ,...,B n ,r^C 



B\,A 2 , . . . ,A„,r - 



mc 



—/init If Tl ends with the ink rule, then n= 1,F is the empty multiset, and C must be a cut formula, i.e., C = B\. 
Therefore E reduces to Tl\. 

Notice that the reductions in the essential case for induction and co-induction are not symmetric. This is because we 
use an asymmetric measure to show the termination of cut-reduction, that is, the complexity of cut is always reduced 
on the right premise. The difficulty in getting a symmetric measure, in the presence of contraction and implication (in 
the body of definition), is already observed in logics with definitions but without (co-)induction [49]. 

It is clear from an inspection of the rules of the logic and the definition of cut reduction that every derivation ending 
with a multicut has a reduct. But because we use multisets in sequents, there may be some ambiguity as to whether a 
formula occurring on the left side of the rightmost premise of a multicut rule is in fact a cut formula, and if so, which 
of the left premises corresponds to it. As a result, several of the reduction rules may apply, and so a derivation may 
have multiple redexes. 

The following lemmas show that the reduction relation is preserved by some of the transformations of derivations 
defined previously. 

Lemma 7. Let Tl be a derivation ofT — ► C ending with a mc and let 6 be a substitution. IfTlQ reduces to E then 
there exists a derivation Tl' such that E = n'8 and Tl reduces to Tl'. 

Proof. Observe that the redexes of a derivation are not affected by substitution, since the cut reduction rules are 
determined by the last rules of the premise derivations of the derivation, which are not changed by substitution. 
Therefore, any cut reduction rule that is applied to 118 to get E can also be applied to n. Suppose that II' is the 
reduct of II obtained this way. In all cases, except for the cases where the reduction rule applied is either * jlL or 
ClL/Cl'Jt, it is a matter of routine to check that n'8 = E. For the reduction rules */Lc and CIx/CFJ?., we need 
Lemma 5 and Lemma 6 which show that substitution commutes with (co-)inductive unfolding. □ 

Lemma 8. Let px = Dpxbe an inductive definition and let Tl$ be a derivation ofDSx — ► Sx for some invariant S. 
Let C be a non-atomic formula dominated by p. Let Tl and Tl' be two derivations of the same sequent F — ► C, and 
II ends with an mc-rule. If p^(Tl 7 Tls) reduces to E then there exists a derivation Tl' such that E = /j^(Tl' ,Tls) and Tl 
reduces to Tl'. 

Proof. By case analysis on the reduction rules. The case analysis can be much simplified by the following observations. 
First, the reduction rules are driven only by outermost connectives in the formulas in the sequent. Second, the unfolding 
of a derivation affects only the right-hand-side of the sequents appearing in the derivation (or more specifically, only 
the branches containing major premises). By a quick inspection on the definition of reduction rules in Definition 10, 
we see that the only non-trivial case to consider is the right-commutative case -/o^. Since C is non-atomic (and 
assuming that it has at least one occurrence of p, otherwise it is trivial since n = p^(Tl, Tls) in this case), the only cases 
we need to verify is when its topmost logical connective is either A, V, D, V and 3. In these cases, the unfolding does 
not change the topmost connective, therefore any reduction rule that applies to ^(ILIls) also applies to IT Lemma 5 
and Lemma 6 are used when substitutions are involved (right/left commutative cases with eqx). □ 
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Lemma 9. Let px = Dpxbe an inductive definition and let Fl$ be a derivation ofDSx — ► Sx for some invariant S. 
Let II be the derivation 

iL n„ n' 

Ai — >Bi ••• A„ — >B n B U ...,B„,F — >pt 

mc 

Ai,...,A„,T — >pt 

Suppose that Fi 1 ends with a rule other than ink and 111. If // '-.(II, lis) reduces to S then there exists a derivation II" 
such that S = //-(II", lis) and II reduces to II". 

Proof. The proof is straightforward by inspection on the cut reduction rules and the definition of inductive unfolding. 

□ 

Lemma 10. Let px = D px be a co-inductive definition and let Fls be a derivation of Sx — > DSxfor some invariant 
S. Let C be a non-atomic formula dominated by p. Let Fl and II' be two derivations of the sequent F — > C[S/p], where 
II ends with a mc rule. IfV^(Fl,Fls) reduces to S then there exists a derivation II' such that E = V^(Yl' ,11s) and II 
reduces to II'. 

Proof. Analogous to the proof of Lemma 8. □ 



5.2 Normalizability 

Definition 11. We define the set of normalizable derivations to be the smallest set that satisfies the following condi- 
tions: 

1. If a derivation II ends with a multicut, then it is normalizable if every reduct ofFL is normalizable. 

2. If a derivation ends with any rule other than a multicut, then it is normalizable if the premise derivations are 
normalizable. 

Following Martin-L6f [24], instead of assigning some ordinal measures to derivations and define an ordering on 
them, we shall use the derivation figures themselves as a measure. Each clause in the definition of normalizability 
asserts that a derivation is normalizable if certain (possibly infinitely many) other derivations are normalizable. We 
call the latter the predecessors of the former. Thus a derivation is normalizable if the tree of its successive predecessors 
is well-founded. We refer to this well-founded tree as its normalization. 

Since a normalization is well-founded, it has an associated induction principle: for any property P of derivations, 
if for every derivation II in the normalization, P holds for every predecessor of II implies that P holds for II, then P 
holds for every derivation in the normalization. 

The set of all normalizable derivations is denoted by NM. 

Lemma 11. If there is a normalizable derivation of a sequent, then there is a cut-free derivation of the sequent. 

Proof. Let II be a normalizable derivation of the sequent F — ► B. We show by induction on the normalization of II 
that there is a cut-free derivation of T — ► B. 

1. If II ends with a multicut, then any of its reducts is one of its predecessors and so is normalizable. But the reduct 
is also a derivation of F — ► S , so by the induction hypothesis this sequent has a cut-free derivation. 

2. Suppose II ends with a rule other than multicut. Since we are given that II is normalizable, by definition the 
premise derivations are normalizable. These premise derivations are the predecessors of II, so by the induction 
hypothesis there are cut-free derivations of the premises. Thus there is a cut-free derivation of F — ► <B . 

□ 

The next lemma states that normalization is closed under substitutions. 
Lemma 12. IfFi is a normalizable derivation, then for any substitution 8, 119 is normalizable. 
Proof. We prove this lemma by induction on the normalization of II. 

1. If II ends with a multicut, then 118 also ends with a multicut. By Lemma 7 every reduct of 118 corresponds to a 
reduct of II, therefore by induction hypothesis every reduct of 118 is normalizable, and hence 118 is normalizable. 

2. Suppose II ends with a rule other than multicut and has premise derivations {II,}. By Definition 3 each premise 
derivation in 118 is either IT, or IL8. Since II is normalizable, II; is normalizable, and so by the induction hypoth- 
esis IL8 is also normalizable. Thus 118 is normalizable. □ 
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5.3 Parametric reducibility 

Let us first define some terminology concerning derivations. We say that a derivation II has type C if the end sequent 
of II is of the form F — ► C for some F. We say that a set of derivations S has type C, if every derivation II G S has 
type C. A set of derivations Si is closed under substitution if for every II G $t and for every substitution 0, 110 G 2^. . 
To simplify presentation, we shall use the following notations to denote certain types of derivations. The derivation 

ni n„ n 

Ai — >Bi ••• A„ — >B n F — >C 



,A„,r- 



mc 



is abbreviated as mc(IIi,. . . ,n„,II). The derivation 



n s n 

BSx — >Sx F,Su — >C 



F,pu — ► C 

is abbreviated as ind(Yls,Fi), and the derivation 

n n 5 

r — >Su Sx — >BSx 



IL 



■ pu 



is abbreviated as coind (II, 11,$ 



Definition 12. Let F be a closed term of type OCi — > • • • — > a„ — > o. A sef of derivations S is said to be F-indexed z/ 
every derivation in S has type Ft\...t n for some ti,...,t n . 

Given a set S of derivations and a formula C, we denote with S |c the set 

{II G 5 | n is of type C}. 

We shall now define a family of sets of derivations, which we call parametric reducibility sets. 

Definition 13. Parametric Reduciblity. Let px = B px be a co-inductive definition, let I be a closed term of the same 
type as p, let be a set of derivations, and let S be an I-indexed set of derivations. Let C be a formula dominated by 
p. We define the parametric reducibility sets RED^[^,,5], consisting of derivations of type C[I/p], by induction on the 



size ofC, as follows. (In the following, we shall refer to C as the type o/RED£[^., s].) 



1. If p does not appear in C then RED^ [3^ , s] = %. |c- 

2. IfC — pu, for some it, then RED^[^,,5] = S [in- 

3. Otherwise, the family of parametric reducibility sets {RED^. e [^.,5]}e is the smallest family that satisfies the 
following: for every and for every derivation II of type CQ [I/p], II G RED£ e [??.,5] if one of the following holds: 

(a) II ends with mc, and all its reducts are in RED^ e [^., s]. 

(b) II ends with D Hi, i.e., 

F,B^D[I/p] 
F^BDD[I/p] JA - 

II' G REDq[^,,5], and for every substitution p and for every derivation E of A — ► Bp in we have 
mc(S,n'p)GREDg p [^,5]. 

(c) II ends with a rule p other than mc and D the minor premise derivations ofFl are normalizable, and its 
major premise derivations are in the parametric reducibility sets of the appropriate types. 

From now on, when we write RED^[^,,5], it is understood that p is a co-inductive predicate, C is dominated by 
p, $i is a set of derivations, and S is an /-indexed set of normalizable derivations, for some /. 

Note that in Definition 13 (3), we define simultaneously the reducibility sets RED£ e [^,,i] for all substitution 
0. This is because in the case the derivation II ends with eqL , reducibility of II may depend on the reducibility of 
(possibly infinitely many) derivations which are in RED£ p [2?.,5] for some p. Since Cp is of the same size as CQ, its 
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parametric reducibility set may not yet be defined by induction on the size. We therefore need to define this and other 
reducibility sets which are indexed by instances of C simultaneously. 

As with the definition of normalizability, clause (3) in Definition 13 defines a monotone fixed point operator 
(assuming the parametric reducibility sets of smaller types have been fixed), and it therefore induces a well-founded 
tree of derivations in the family {RED£ 9 [2^,5]}e. It is immediately clear from the definition that a derivation II' in 
the family is a predecessor of II (in the same family) if either 

- II ends with a left rule and II' is a major premise of n, or 

- II ends with mc and II' is a reduct of IT. 

We shall call the well-founded tree of successive predecessors of a derivation II in the family {RED£ e [^.,5]}e the 
parametric reduction of IX As with the normalization of a derivation, it has an associated induction principle. Note 
that, however, this ordering on derivations is defined only in the case where C satisfies the syntactic condition defined 
in Definition 13(3), i.e., it contains at least an occurrence of p and is not an atomic formula. 

The definition of parametric reducibility can be seen as defining a function on 5-indexed sets. In the case where the 
type of the parametric reducibility set is the body of the co-inductive definition for p, this function corresponds to the 
underlying fixed point operator for p. We shall now define a class of 5-indexed sets which are closed under this fixed 
point operator. These sets, called saturated sets in the following, can be seen as post-fixed points of the fixed point 
operator for the co-inductive definition for p. They will be used in defining the reducibility of derivations involving 
the co-induction rule Cl5(, . 

Definition 14. Let Vx. px = B px be an co-inductive definition. Let S be a closed term of the same type as p. Let lis 
be a derivation of Sx — ► BSx. Let %_ be a set of derivations. An S-indexed set S is a (X,ITs)-saturated set if the 
following hold: 

1. Every derivation in S is normalizable. 

2. If XI G S then 119 G S for any 9. 

3. Ifll G S andU is of type Su for some u, then mc(Jl,H s [u/x\) G RED^ a [%.,S]. 



5.4 Reducibility 

We now define a family of reducible sets RED, of level i. 

Definition 15. Reducibility. We define the family {RED,},- of reducible sets of level i by induction on i. In defining the 
reducible set of level i, we assume that reducible sets of smaller levels have been defined. Each set RED; the smallest 
set that satisfies the following: For every derivation II of level i, II G RED; if one of the following holds: 

1. II ends with mc and all its reducts are in RED,-. 

2. Uis 

w 

r — >bdd d% -' 

IT G REDi v i( D ), and for every substitution and for every derivation E of A — ► BQ in RED lvl ( Be ), we have 
mc(S,n'e)eRED lvl(De ). 

3. II ends with Cl%_, i.e., II is 

IX IX 

T — >St Sx — >BSx 



■ pt 



am 



where px = Bpx,Il' and lis are normalizable, and there exists a , Ils)-saturated sets, where $t = U{RED 7 - | 
j < ;}, such that IT G S. 

4. II ends with a rule p other than mc and D the minor premise derivations of W are normalizable, and its major 
premise derivations are in the reducibility sets of the appropriate levels. 
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As in the definition of normalizability, each clause in the definition of reducibility asserts that a derivation is 
reducible provided that certain other derivations, called the predecessors of the derivation, are reducible. The definition 
of reducibility induces a well-founded ordering on derivations in the reducibility sets. We shall refer to this ordering 
as reducibility ordering and the induced well-founded tree as the reduction of the derivation. We say that a derivation 
is reducible if it is in RED; for some i. 

Lemma 13. Every reducible derivation is normalizable. 

Proof. Given a reducible derivation n, it is straightforward to show by induction on its reduction that it is normalizable. 
In the case where II ends with CI^, by the definition of saturated sets (Definition 14) and reducibility (Definition 15), 
its premise derivations are normalizable, and therefore II is also normalizable. □ 

Lemma 14. If Tl is reducible then for every derivation 8, 118 is also reducible. 

Proof. The proof is by induction on the reduction of IT We consider two non-trivial cases here: the case where II ends 
with mc and the case where it ends with CI^. For the former, suppose that II = mc(Tli,. . . ,n„,n'). By Lemma 7, 
every reduct of 118, say E, is the result of substituting a reduct of II. By induction hypothesis, every reduct of 118 is 
reducible, hence 118 is also reducible. 

We now consider the case II ends with CI^,, i.e., II is 



IT n s 

T — >St Sx — >BSx 

r — > P t 



Cl'J{. 



where px = Bpx. Let i be the level of p and let 'J{_ = UjREDy | j < lvl(/?)}. By the definition of reducibility, we 
have that II' and 11$ are both normalizable, and moreover, there exists a (3^,11$) -saturated set S, such that II' G 5. 
Suppose that u = (f)8. To show that 118 is reducible, we must first show that both IT8 and lis are normalizable. This is 
straightforward from the fact that both II' and Yl$ are normalizable and that normalisation is closed under substitutions 
(Lemma 12). It remains to show that there exists a (^,IIs)-saturated set S 1 such that n'8 G s'. Let s' = S. Since 
saturated sets are closed under substitution and II' G s', we have n'8 G S 1 ■ □ 

Lemma 15. Let p be a co-inductive predicate, let S be a closed term of the same type as p. Let ^ = U{RED 7 - | j < 
lvl(p)}, let 

S — [J{E | E is reducible and has type St for some T} 

and let C be a formula dominated by p. Then for every reducible derivation II of type C[S / p], Tl G 

Proof. By induction on the reduction of IT If p does not occur in C then II G since in this case lvl(C) < \vl(p) 
(recall that C is dominated by p), therefore II G RED^[2^,5]. If C = p then II G S (since II is reducible), hence 
II G RED£[^.,5]. The other cases follow from straightforwardly from induction hypothesis. We show here the case 
where II ends with D ^ . 

IT 

T,B^D[S/p] 
T — >BDD[S/p] 

Note that in this case C = B D D, and p does not occur in B by the restriction on C (p dominates C). Since II is 
reducible, we have that IT is a reducible predecessor of n, and for every substitution 8 and every reducible derivation 
E of type BQ, we have mc(Z, n'8) is also a reducible predecessor of IT It thus follows from induction hypotheses 
that II' G RED£[i^,5] and for every E G %, of type BQ (which is reducible by the definition of It), mc(Z,U'Q) G 
RED^ e [3i,s]. Therefore, by the definition of parametric reducibility, we have that II G RED£ [!R.,s]. □ 



5.5 Reducibility of unfolded derivations 

The following lemmas state that reducibility is preserved by (co)inductive unfolding, under certain assumptions. 

Lemma 16. Inductive unfolding. Let px = Bpx be an inductive definition. Let Yls be a reducible derivation of 

BSx ► Sx. Let II be a reducible derivation ofF ► C such that p dominates C. Suppose the following statements 

hold: 
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1. For every derivation S of A — ► Bpu, ifp(Z,Yls) is reducible, then the derivation mc(ju(E, Hs),Hs[it/x\) is re- 
ducible. 

2. For every reducible derivation E of A — ► Su the derivation mc(Z,ld si ;) is reducible. 

3. The derivation ind(Yls,ld si ;) is reducible, for every u of the appropriate types. 

Then the derivation p^(Yl,Yls) ofF — ► C[S/p] is reducible. 

Proof. By induction on the reduction of n. We show the non-trivial cases, assuming that p is not vacuous in C. To 
simplify presentation, we shall write p(., .) instead of p p F (., .), since in each of the following cases, it is easy to infer 
from the context which F we are referring to. 

1 . Suppose II ends with ink rule on p u. Then p(Yl, lis) = ind(Hs,Idsu), which is reducible by assumption. 

2. Suppose II ends with D that is, C = C\ D C 2 . 

n' 

r,Ci— q 



r — > C\ d c 2 

By the restriction on C, we know that p is vacuous in C\, hence C[S/p] — C\ D C2[S/p]. By the definition of 
reducibility, the derivation II' is reducible and for every substitution and every reducible derivation *P of A — ► 
Ci 8, the derivation S 

»p n'e 

A — >CiQ Td,CiQ — >C 2 Q 

a, re — >c 2 e~ 

is reducible. We want to show that the derivation fi(Jl, II5) 

/i(n',n s ) 
r,Ci p — > c 2 5 



mc 



351 



r^Ci jP DC 2 [5/ i p] 

is reducible. This reduces to showing that p(Yl' , lis) is reducible and that 

ip /i(n',n s )e 
a — >Ci9 re,Ci9 — >c 2 B[s/p] 



A,TQ^C 2 Q[S/p] 



mc 



is reducible. The first follows from induction hypothesis on II'. For the second derivation, we know from Lemma 5 
that 

Ai(n',n s )e=/i(n'e,n 5 ). 

It follows from this and the definition of inductive unfolding (Definition 8) that 

mc(^,p(U',U s )d)=mc(^,p(U'Q,U s ))=p(mc(^,U'Q),U s )=p(Z,U s ) 

We can apply induction hypothesis on E, since it is a predecessor of II, to establish the reducibility of fi(E,Ils). 
This, together with reducibility of p(Yl',Yls) implies that /j(n,IL;) is reducible. 
3. Suppose II ends with I'Jl rule on p u. 

n' 

r — > Bpu 



l — y pu 

Then ^(n,!!?) is the derivation 

A/(n',n s )^ Us[u/x] 

r — >BSu BSu — >Su 



■Su 



mc 



The derivation ^(n^IIs) is reducible by induction hypothesis. This, together with assumption (1) of the lemma, 
imply that p(Yl 7 Yls) is reducible. 
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4. Suppose II ends with mc. 

rij n„ n' 

Ai^D! ••• A„ — > D m D u ...,D m ,r' -^C 

- mc 

Ai,...,A BI ,r'— >C 

Then ,1/(11, IT;) is the derivation 

IT n„ /"(n',n 5 ) 

A!^D! ••• A„ — > D m Di,...,D m ,r'— >C[S/p] 

; mc 

A l7 ...,A m ,r' — C[S/p] 

By the definition of reducibility, every reduct of II is reducible. We need to show that every reduct of lis) is 
reducible. 

From Lemma 8, we know that for the case where C is not atomic every reduct of /j(n,Ilj) corresponds to some 
reduct of II. Similarly, for the case where IT ends with a rule other than ink or l'J{_ , by Lemma 9, the reducts of 
,1/(11,11,$) are in one-to-one correspondence with the reducts of II. Therefore in these cases, the inductive hypoth- 
esis can be applied to show the reducibility of each reduct of /j(Yl,Yls). This leaves us the following two cases, 
where C = pu and IT ends with either 1^, or ink rules. 
- Suppose IT is the derivation 

n" 

D h ...,D m ,T' — >Bpu 

— I£ 



Let Si be the derivation 



then the derivation 



£>!,..., £>„,, r' >pti 

n, \ n" 

\ "J, ,1 ,,, Du-.-X^Bpu 

Ai,...,A m ,r' — >Bpu 



-1 

Ai,...,A,„,r' — >Bpu 



mc 



mc 



Ai,...,A,„,r' — > pu 

is a reduct of II (by the reduction rule —/12Q, and therefore by the definition of reducibility both this reduct 
and Si are reducible predecessors of II. Let vp be the derivation 

fi(n",n s ) n' s 

Di,...,r' — >BSu BSu — >Su 
D h ...,T' — >Su 

Then the derivation /a (II, Us) is the following 

II; 1 

A y "J, ,„ D U ...,T'^SU 

■ mc 

Ai,...,A m ,r — >Su 

The only applicable reduction rule to /j(n,II,s) is — /mc, which gives us the reduct E 

Ai,...,A m ,r' — >BSu BSu — >Su 

; mc 

Ai,...,A m ,T — >Su 

where VP' is the derivation 

•V -"i) i .i », Di,-r ^BSu 

Ai,...,A m ,T' — >BSu 



mc 



Notice that VP' is exactly p(Z\ , lis), and is reducible by inductive hypothesis. Therefore assumption (1) applies, 
and the reduct E is reducible, hence ,u(II,IT$) is also reducible. 
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- Otherwise, suppose II' ends with ink, then D\= pu and II is the derivation 



• 1 _ — - mit 

A\ — > pu pu — > pu 

mc 

Ai — > pu 

The only reduct of II is Yl\ since the only applicable reduction is —/ink. On the other hand, the derivation 

/;(n,n 5 ) is 

n s ^ id 

IIi BSx — > Sx Su — >Su 
Ai — > pu pu — >Su 



Its only reduct is (by */l£) 



A] — >Su 



n(n u n s )^ ^ id 

A] — >Su Su — >Su 
Ai — ► Su 



mc 



mc 



The derivation p(Yli , lis) is reducible by inductive hypothesis (111 is a predecessor of II) and assumption (2) 
applies, and the above reduct is reducible. 

□ 

Remark 1. Intuitively, condition (1) of Lemma 16 can be seen as asserting that the set of reducible derivations whose 
types are instances of Sx forms a pre-fixed point of the fixed point operator induced by the inductive definition of p. 

Lemma 17. Co-inductive unfolding. Let px = B px be a co-inductive definition. Let II5 be a normalizable derivation 
ofSx — ► BSx for some invariant S. Let = {REDy | j < lvl(/?)}, and let S be a (X , 11$)- saturated set. Let H be a 
derivation ofF ► C[S / p] for some C dominated by p. If TI £ REDc[%.,S] then V^(Yl,Yls) is reducible. 

Proof. By induction on the size of C, with sub-induction on the parametric reduction of n. As in the proof of inductive 
unfolding, we omit the subscript and superscript in the v function to simplify the presentation of the proof. 

1. If p is not free in C, then v(n,n,$) = n. Since II £ KEDc[${.,S], it follows from the definition of parametric 
reducibility that II £ hence it is reducible by assumption. 

2. SupposeC = pu. ThenC{S/p] = Su and v(n,IIs) is the derivation 



n ^ n 5 

r — >Su Sx — >BSx 

r — > pu 



To show that this derivation is reducible, we first show that there exist a (X,II,s) -saturated set s' such that II £ s'. 
Since II £ RED p p u , S ] , by the definition of parametric reducibility, we have II £ S ■ Let s' = S. Then S ' is indeed 
a ('Jt , lis) -saturated set containing II. It remains to show that both II and II5 are normalizable. This follows from 
the assumption on II5 and the fact that saturated sets contain only normalizable derivations. 
Suppose p occurs in C but C ^ pu for any u. There are several subcases, depending on the last rule in II. Then we 
show by induction on parametric reducibility of II that it is also reducible. 

(a) The base cases are those where II ends with a rule with empty premises and where II ends with a right- 
introduction rule. In the former case, its reducibility is immediate from the definition of reducibility (Def- 
inition 15). For the latter, in most cases, the reducibility of II follows from the outer induction hypothesis 
(since in this case, the premise derivations of II are in the parametric reducibility sets of smaller types) and 
Definition 15. We show here a non-trivial case involving implication-right: Suppose II ends with D 'J(_, i.e., 
C = C\ D C2 for some C\ and C2. 

IT 

r,Ci -^c 2 [s/ P } 



r^Ci dc 2 [s/ p ] 



331 
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Note that p is vacuous in C\ by the restriction on C. The derivation v(n,ris) is 



v(n',n s ) 
r,Ci -^c 2 
r — ► C\ d C2 



3^ 



To show that v(n,Ils) is reducible, we need to show that v(Tl',n$) is reducible, and for every 9 and every 
W e RED Cl e, we have mc(^,v(W ,U S )Q) e RED C2 e. 

The parametric reducibility of II implies that II' € REDq , S ] and for every 9 and every derivation y ¥ / e 
mc(?¥',n'd) E RED C2 e[^.,i]. Note that *T is in since lvl(Ci9) < lvl(p). Therefore we also have 
mc( l P, n'9) € REDc 2 e[^.,5]. By the outer induction hypothesis, we have that both 

v(n',n s ) and v(mc(^, n'e),n s ) 

are reducible. It remains to show that the mc^, v(n', 115)9) is reducible. Note that by Lemma 6 this derivation 
is equivalent to mc( x P, v(n'9,ris)). To show that this derivation is reducible, there are two cases to consider. 
If C2 is non-atomic then it is easy to see that mc(*P, v(II'9, lis)) is equivalent to v(mc( x P, n'9), IIj), which is 
reducible by the outer induction hypothesis. If, however, C2 = pu for some u, then mcl^v (IT 9, IT;)) is the 
derivation (supposing that the end sequent of ^ is A — ► Ci9): 



n'9 n 5 

CI^ 



Ci9,T9 — >Su Sx — >BSx 



A — >Ci9 Ci9,T9 — >pu 
— — mc 

A,T9 — ► pu 

To show that this derivation is reducible, we must show that all its reducts are reducible. There is only one 
reduction rule that is applicable in this case, i.e., the — /CI^.-case, which leads to the following derivation: 

¥ n'9 

A — >d9 Ci9,r9 — >Su n c 

mc 1±i 

A,T9 — >Su Sx — >BSx _ 

A,T9 — ► pu 

But notice that this is exactly the derivation v(mc( x P, n'9), n^), which is reducible by the outer induction 
hypothesis. 

Having shown that v (II', lis) and mc( x P, v(n',n,s)9) are reducible, we have sufficient conditions to conclude 
that v(n,n$) is indeed reducible, 
(b) For the inductive cases, n ends either with mc or a left-rule. We show the former case here (the other cases 
are straightforward). Suppose n is 

ni n„ n' 

Ai— >Z)i ••• A„ — >D m D h ...,D m ,T' ~^C[S/p] 



A U ...,A„X ^C[S/p] 



mc 



Then v(n,n,s) is the derivation 



n, n„ v(n',n s ) 

Ai — >D\ ■■■ A„ — » D m Di,...,D w ,r v — >C 

a, \„.r' c 



mc 



The derivation v(n,n5) is reducible if every reduct of v(n,n$) is also reducible. From LemmalO, it follows 
that every reduct of v(n,n$) is of the form v(S,ns) where S is a reduct of n. Since all reducts of n are 
predecessors of n in the parametric reducibility ordering, we can apply the inductive hypothesis to show that 
every reduct of v(n,n^) is reducible, hence v(n,n,s) is also reducible. 

□ 
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5.6 Cut elimination 



Most cases in the cut elimination proof for Line - in the following are similar to those of FOX A!N . The crucial differ- 
ences are in the handling of the essential cut reductions for inductive and co-inductive rules. 4 In the case of derivations 
of inductive predicates, a crucial part of the proof is in establishing that the S-indexed set of reducible derivations 
(where S is an inductive invariant) satisfies the conditions of Lemma 16 (in effect, demonstrating that the said set 
forms a pre-fixed point). Dually, in the case for co-inductive proofs, one must show that the S-indexed set of reducible 
derivations, where S is a co-inductive invariant, forms a saturated set (i.e., a post fixed point of the co-inductive defini- 
tion involved). 

Lemma 18. For any derivation Y\ of B\, . . . ,B n ,T — ► C, for any reducible derivations 

ni n„ 

Ai — >B\, ... , A„ — > B„ 
where n > 0, and for any substitutions 8i,...,8„,y such that Z?,8, = Bc{ for every i G {1 , . . . , n}, the derivation S 

riiSi n„8„ ny 

AiSi— >Bi8i ••• A„8„^B„8„ B { y, . . . ,B„y,Tj — > Cy 

mc 

Ai8i,...,A„8„,ry — >Cy 

is reducible. 

Proof. The proof is by induction on indm(II) with subordinate induction on ht(II), on n and on the reductions of 
111, • • ■ ,n„. The proof does not rely on the order of the inductions on reductions. Thus when we need to distinguish 
one of the Il„ we shall refer to it as II i without loss of generality. The derivation S is reducible if all its reducts are 
reducible. 

If n — 0, then E reduces to ITy, thus in this case we show that ITy is reducible. Since reducibility is preserved by 
substitution (Lemma 14), it is enough to show that II is reducible. This is proved by a case analysis of the last rule in 
II. For each case, the result follows easily from the induction hypothesis on ht(II) and Definition 15. The D %, case 
requires that substitution for variables does not increase the measures of a derivation. In the cases for D L and lL 
we need the additional information that reducibility implies normalizability (Lemma 13). The case for CI^. requires 
special attention. Let px = Dpx be a co-inductive definition. Suppose II is the derivation 

n' n s 

r — >St Sx — >DSx ™. 

1 vpt 

for some invariant S. Let Si — U{RED ; - | j < lv\(p)}. To show that II is reducible we must show that its premises 
are normalizable and that there exists a (2£, ,LL;) -saturated set S such that II' S S. The former follows from the outer 
induction hypothesis and Lemma 13. For the latter, the set S is defined as follows: 

S = I *P is a reducible derivaiton of type Su, for some u}. 

Since II' is reducible by induction hypothesis, we have II' 6 S. It remains to show that S is a (${.,11$) -saturated set. 
More specifically, we show that S has the following properties. 

1 . Every derivation in S is normalizable. 

2. If ¥ e S then *¥Q G S for any 9. 

3. If *P e S and *P is of type Su for some it, then mc^, U s [u/x\) E RED^ pi7 [3L,5] 

4 We also note that McDowell and Miller's proof of cut elimination for FOX A]N given in [25] appears to contain a small gap in 
the proof of a main technical lemma. More specifically, they use a similar technical lemma as Lemma 18, but without the extra 
assumptions about the substitutions 81 , . . . , 8„, 9. The problem with their formulation of the lemma appears in the case involving 
the eqx / o l reduction rule. This problem is fixed in our cut elimination proof with the more general statement of Lemma 18. 
See http://www.lix.polytechnique.fr/ dale/papers/tcsOO.errata.html for details of the errata in their paper. 
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Property (1) follows from the fact that reducibility implies normalizability (Lemma 13). Property (2) follows from the 
fact that reducibility is closed under substitution (Lemma 14). To prove (3), first notice that by Lemma 2, indm(TL; [u/x\ ) < 
indm(rL;) = indm(n) and ht(rL;[S/x]) < ht(n,s) < ht(n). Therefore, by the outer induction hypothesis, we have that 
mcO^IIsp/x]) is reducible. By Lemma 15, we have that mc^?, n s [S/x|) e ~REV P BpS ['J{,, s}. Therefore, S is a (%. ,U S )- 
saturated set containing II', hence II is reducible. 

For n > 0, we analyze all possible cut reductions and show for each case the reduct is reducible. Some cases follow 
immediately from inductive hypothesis. We show here the non-trivial cases. 

D 3t/ D l: Suppose 111 and II are 

n'j n' n" 



Ai,Bj — >B'( B 2 ,...,T^B[ B'[,B 2 ,...,T^C 

7T~rTjrrr hr^ ^ 3i 



Ai — > B[ D B'[ B\ D B'(,B 2 , . . . ,B„,F 

The derivation Ei 

n 2 8 2 n„8„ n'y 

A 2 8 2 ^B252 ... A„8„^B„8„ B 2 J, . . . ,B„y,Ty — » B[y 



A 2 8 2 ,...,A„8„,rY — >B[y 



mc 



is reducible by induction hypothesis since indm(n') < indm(n) and ht(n') < ht(n). Since ITi is reducible, by 
Definition 15 the derivation S 2 

Ei riiSi 

A 2 5 2 ,...,ry^B' l y B'^A^ — B'/Sj 

mc 

A 1 8 1 ,...,A„8„,ry^B / /8 1 

is a predecessor of IT and therefore is reducible. The reduct of E in this case is the following derivation 



^2 



n,8 



n"y 



mc 



B'fii l^ 5 * - >B ' 5 'i<€{2. J i} B'{y,...,B n y,ry — >Cy 
A181, . . . , A„8„,ry, A 2 8 2 , . . . , A„y,ry — > Cy 

Ai8i,...,A„8„,ry — >Cy 

which is reducible by induction hypothesis and Definition 15. 
ML /V^.: Suppose ITi and II are 

n; n' 

Ai y B\[t/x},B 2 ,...,B n ,T^C 

Ai — >Vx.B[ ^ Vx.B[,B 2 ,...,B n ,r — >C 

Since we identify derivations that differ only in the choice of intermediate eigenvariables that are not free in the 
end sequents, we can choose a variable y such that it is not free in the domains and ranges of 8i and y. We assume 
without loss of generality that x is chosen to be fresh with respect to the free variables in the substitutions so we 
can push the substitutions under the binder. The derivation E is thus 

n;si n'y 

AiSj -^B'My/x] B\y[ty/x],...,Ty^Cy 

Ai Si — ► Vx.fi'! 8i ... Vx.B[y, . . . , Ty — > Cy 

? ? mc 

Ai8i,...,A„8„,ry — >Cy 

Let 8'j = 8i o [ty/y]. The reduct of E in this case is 

n;8'i n'y 

AiSi — ► B\h\[ty/x] ... B[y[ty/x],...,ry^Cy 

mc 

Ai8i,...,A„8„,ry — >Cy 

which is reducible by induction hypothesis. 
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eq^, /eqx : Suppose II i and II are 



np 

|s 2 p,...,BnP,rp — >cp 



p 



— — -, — 5— f — -F — e <i L 



A] — >s = t s = t,...,B n ,r 

Then S is the derivation 



B 2 yp',...,B„Yp',rp / ^CYp' 



p' 



e q^. — 7 — \ „ — ^ ^ — eq^ 



Ai5i — > (* = 08i ••• {s = t)Y,...,B„y,ry — >Cj 

mc 

Ai8i,...,A„8„,ry — >Cy 

The eq^, tells us that s and t are unifiable via empty substitution (i.e., they are the same normal terms). The reduct 
of S 

n 2 8 2 W 

A 2 5 2 — >fi 2 8 2 ... B 2 y,...,ry — > Cy 



mc 



A 2 8 2 ,...,A„8„,ry — >Cy 
Ai8i,A 2 8 2 ,...,A„8„,ry — >Cy Wi: 

is therefore reducible by induction hypothesis. 
* j\L : Suppose II is the derivation 

U s IT 

DSx — >Sx St,T — >C 

pt,T — >C 

where px = Dpx. Let p u be the result of applying 81 to pt. Then S is the derivation 

u s n'y 

III 81 n„8„ DSx^Sx S«,...,ry — >Cy 

A181 — ••• A„8„ — >B„8„ pu,...,Ty — >Cy 

? ? mc 

Ai8i,...,A„8„,ry — >Cy 

The derivation S reduces to the derivation S' 

^(n^n^Si n„8„ n'y 

A181 — >Su ■■■ A„8„ — >B„8 n Su,ry — >Cy 
Ai8i,...,A„8„,ry — >Cy 

Notice that we have used the fact that 

A /(n 1 8 1 ,n s )= (U (n 1 ,n s )8 1 

in the derivation above, which follows from Lemma 5. Therefore, in order to prove that S' is reducible, it remains 
to show that the unfolding of IT produces a reducible derivation. This will be proved using Lemma 16, but we 
shall first prove the following properties, which are the conditions for applying Lemma 16: 

1. For every derivation *P of A — ► Dps, if /j^ITs) is reducible, then the derivation mc( ( u( x T ,U S ) ,U s [s/x\) is 
reducible. 

2. For every reducible derivation VP of A — ► Sit the derivation mci^V, l&sn) is reducible. 

3. The derivation ind{Us^Su) is reducible, for every u of the appropriate types. 

To prove (1), we observe that indm(ns[«/3c]) < indm(IIs) < indm(n), so by the outer induction hypothesis, the 
derivation mc(p(Z,Us),Us[u/x\) is reducible. Property (2) is proved similarly, by observing that indm(Id S s) < 
indm(n) (since identity derivations do not use the lL rule; c.f. Lemma 4). Property (3) follows from the fact that 
Id si j is reducible and that Us is reducible (hence, also normalizable). Having shown these three properties, using 
Lemma 16 we conclude that fi(Ui,Us) is reducible, hence, by the outer induction (II' is smaller than II), the 
reduct S' is reducible. 



mc 
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Cl%_ /CLc : Suppose 111 and II are 



n 'i n s n' 

— >St Sx — >DSx _ Dpt,B 2 ,...,Y — >C 

' — CIX 



Ai — > pt pt,B2,...,r — >c 

where px = Dpx. Suppose (pT)8\ = (pt)j = pu. Then E is the derivation 

n;Si n s n'y 

A181 — >Su Sx — >DSx „ T Dpu,...,Ty — >Cy 

A\bi — > pu ■■■ pu,...,iy — >Cy 

? ? mc 

Ai5i,...,A„5 n ,ry — >Cy 

Let 11 = U{RED f I lvl(F) < M(p)}. Since IT is reducible, there exists a (^,, Yl s ) -saturated set S such that 
n'j e S . Let Ei be the derivation 

n;5! n s [u/x] 

A\8\ — > Su Su — >DSu 



A,8, — >DSu 



mc 



Since S is a (2^,, 11$) -saturated set, by Definition 14, Si e RED^ ;j5 [2^ ,5]. It then follows from Lemma 17 that 

v(Si,n s ) is reducible. 

The reduct of E is the derivation 

v(Si,n s ) n„8„ n'y 

A181 — >Dpu ■■■ A„8„ — >B„8„ Dpu,...,B„y,ry — > Cy 



Ai8i,...,A„8„,ry — >Cy 



mc. 



Its reducibility follows from the reducibility of v(Ei ,IIs) and the outer induction hypothesis. 
Dl/oi: Suppose 111 is 

A; — >D\ D'[,A\ — >Bi 



d[dd'(,a\ -^b, 



Since II 1 is reducible, it follows from Definition 15 that n'j is normalizable and II" is reducible. Let Ei be the 
derivation 

n'/Si n 2 8 2 ny 

D'{$i,A[&\ — > B\8\ A 2 8 2 ^B 2 8 2 ••• B181, . . . ,Ty — >Cy 



D'l5 u A[5 u A25 2 ,...,ry^Cy 



mc 



Ei is reducible by induction hypothesis on the reduction of III (IT/ is a predecessor of IIi). The reduct of E in this 
case is the derivation 

^^^^^^^^^^^^^^^ WL Ei 



a;8i,A 2 82, . . . ,ry — > d;8i pysi, A / 1 8i,A 2 8 2 , . . . ,ry — > Cy 

{D[ DD'/)8i, ^81^282,..., ry^Cy DX 

Since n'j is normalizable and substitutions preserve normalizability, by Definition 1 1 the left premise of the reduct 
is normalizable, and hence the reduct is reducible, 
eqi / o L : Suppose IIi is 

IIP 

^p— >2?ipJ 



s = t,A\ — >B\ 



P 

eqi 
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Then S is the derivation 

n 5 i°p' 

w^wj, n282 ny 

(5 = 081,^81 — »Si8i 6q A 2 8 2 ^B 2 8 2 ■•• BiY,...,ry— >CV 

mc 

(5 = f)8i, A'jSi, A 2 8 2 , . . . ,ry — > Cy 

Notice that each premise derivation n Sl ° p ' of IT 81 is a also a premise derivation of Oi, since for every unifier p' 
of (s = /)8i, there is a unifier of s = t , i.e., the substitution 81 o p'. Therefore every n 5l ° p is a predecessor of Oi. 
Let S p be the derivation 

ni' op ' n 2 8 2P ' n YP ' 

A'^ip'— »Bi8ip' A 2 8 2 p'^B 2 8 2 p' ••' fiiyp', . . . ,ryp' — Cyp' 

mc. 

A / 1 8ip / ,A 2 52p / ,...,ryp'— ►Cyp' 

The reduct of S 

) 



is then reducible by Definition 15. 
Lc/ o x : Suppose II 1 is 



1"1H v! 1 /H ' wh j p' 

G ? = f)8i,A' 1 8 1 ,...,ry^Cy 6qi 



DSx — >Sx St,A\ — >Bi 

I -/I 



p?,A'j — >Bi 

Since ITi is reducible, it follows from the definition of reducibility that Ilj is reducible predecessor of IT and II5 
is normalizable. Suppose pu = (pt)8\ = (pT)y. Let Si be the derivation 

n 'i§i n„8„ ny 

Su,A\8i — >fli8i ■■■ AA— >fr.5„ B 1 y,...,B n y,r y^Cy 
Su,A[5 l ,...,A n 5 n ,ry — >Cy 

Si is reducible by induction on the reduction of Oi, therefore the reduct of S 



mc 



n s Si 
DSx — >Sx 5it,Ai8i,...,A„8 B ,ry — > Cy 

pM,A / 1 8i,...,A„8„,ry — >Cy 



is reducible. 
-/ D L: Suppose n is 



Let Si be 



n' / n" 

B u . . . ,B n ,r' — > D' Bi,... ,B n ,D",r' — > c 
B u ...,B n ,D' DD",r' — »C 



D L 



ni 81 n„8„ n'y 

A181— >fli8i •■■ AA^BA B 1 y,...,B n y,T'y^D'y 
Ai8i,...,A„8„,r'y^D'y 



mc 



and S 2 be 



niSi n„8„ n"y 

A!5i >Z?i§i ■■■ A A — > B n h n B l y,...,B n y,D"y,T'y^Cy 
Ai8i,...,A„8„,£>"yr'y^Cy 



mc 
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Both Si and S2 are reducible by induction hypothesis. Therefore the reduct of S 

Si S2 
A181, . . . , AnSnXl — > D'y A181 , . . . ,A n 8 n ,D"y,T 'y — ► Cy 
A1S1, . . . ,A„S„, (D' D D")y,r'y — ► Cy 

is reducible (reducibility of Si implies its normalizability by Lemma 12). 
— / CI??. : Suppose n is 

n' n s 

B u ...,B n ,r — >St Sx — >DSx 

— — — - CI1L 

Bi,... ,B n ,T — > pt 

where px = D px. Suppose p u = (p7)8\ = (pT)y. Let Si be the derivation 

niSi n„8„ n'y 

A1S1 — >_Bi8i ■■■ A n 8„ — >B n 8 n giy^. . ,B n y,Ty — >Su 
A181, . . . ,A„8„,ry — > Su 

The derivations n'y lis, Si and the derivation 

^ U s [w/x] 
A' — >Sw Sw — >DSw 



D L 



mc 



A' — >DSw 



mc 



where *P is any reducible derivation, are all reducible by induction hypothesis on the length of IT Again, we use 
the same arguments as in the case where n — to construct a , ris)-saturated set S such that Si £ S. Therefore 
by Definition 15, the reduct of S: 

Si U s 
A181, . . . ,A„8„,ry — > Su Sx — >DSx 

A~~Z A £ = CI ^ 

Ai8i,...,A„8„,ry — >pu 

is reducible. 

mc/ ox: Suppose IT ends with a mc. Then any reduct of II181 corresponds to a predecessor of IIi by Lemma 7. 

Therefore the reduct of S is reducible by induction on the reduction of II 1 . 
— /ink: S reduces to Oi5i . Since IT is reducible, by Lemma 14, II181 is reducible and hence S is reducible. 

□ 

Corollary 1. Every derivation is reducible. 

Proof. The proof follows from Lemma 18, by setting n = 0. □ 

Since reducibility implies cut-elimination, it follows that every proof can be transformed into a cut-free proof. 

Corollary 2. Given a fixed stratified definition, a sequent has a proof in Line - if and only if it has a cut-free proof. 

The consistency of Line - is an immediate consequence of cut-elimination. By consistency we mean the following: 
given a fixed stratified definition and an arbitrary formula C, it is not the case that both C and C D _L are provable. 

Corollary 3. The logic Line - is consistent. 

Proof. Suppose otherwise, that is, there is a formula C such that there is a proof II 1 of C and another proof II2 
for C D _L. Since cut elimination holds, we can assume, without loss of generality, that IIi and II2 are cut free. By 
inspection of the inference rules of Line - , we see that II2 must end with D 'Jl, that is, II2 is 

n 2 



— >Cd± 

Cutting IIi with Yl' 2 we get a derivation of • — ► _L, and applying the cut-elimination procedure we get a cut-free 
derivation of • — ► _L. But there cannot be such a derivation since there is no right-introduction rule for _L, contradiction. 

□ 
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6 Related Work 



Of course, there is a long association between mathematical logic and inductive definitions [2] and in particular with 
proof-theory, starting with the Takeuti's conjecture, the earliest relevant entry for our purposes being Martin-L6f 's 
original formulation of the theory of iterated inductive definitions [24] . From the impredicative encoding of inductive 
types [7] and the introduction of (co)recursion [16,29] in system F, (co)inductive types became common and made it 
into type-theoretic proof assistants such as Coq [37], first via a primitive recursive operator, but eventually in the let-rec 
style of functional programming languages, as in Gimenez's Calculus of Infinite Constructions [18]; here termination 
(resp. productivity) is ensured by a syntactic check known as guarded by destructors [17]. Note that Coq forbids 
altogether the introduction of blocks of mutually dependent types containing both inductive and co-inductive ones, 
even though they could be stratified. Moreover, while a syntactic check has obvious advantages, it tends to be too 
restrictive, as observed and improved upon in [6] by using type based termination. The same can be said about Agda 
[36], where size types termination will eventually supersede guardedness [28]. 

Baelde and Miller have recently introduced an extension of linear logic with least and greatest fixed points [5]. 
However, cut elimination is proved indirectly via a second-order encoding of the least and the greatest fixed point 
operators into higher-order linear logic and via an appeal to completeness of focused proofs for higher-order linear 
logic. 

Circular proofs are also connected with the emerging proof-theory of of fixed point logics and process calculi [48, 
55], as well as in traditional sequent calculi such as in [8]. The issue is the equivalence between systems with local vs 
global induction, that is, between fixed point rules vs. well-founded and guarded induction (i.e. circular proofs). In the 
sequent calculus it is unknown whether every inductive proof can be obtained via global induction. 

In higher order logic (co)inductive definitions are obtained via the usual Tarski fixed point constructions, as realized 
for example in Isabelle/HOL [38]. As we mentioned before, those approaches are at odd with HOAS even at the level 
of the syntax. This issue has originated a research field in its own that we can only try to mention the main contenders: 
in the Twelf system [41] the LF type theory is used to encode deductive systems as judgments and to specify meta- 
theorems as relations (type families) among them; a logic programming-like interpretation provides an operational 
semantics to those relations, so that an external check for totality (incorporating termination, well-modedness and 
coverage [42,53]) verifies that the given relation is indeed a realizer for that theorem. Coinduction is still unaccounted 
for and may require a switch to a different operational semantics for LF. There exists a second approach to reasoning 
in LF that is built on the idea of devising an explicit (meta-)meta-logic (M w ) for reasoning (inductively) about the 
framework, in a fully automated way [52]. It can be seen as a constructive first-order inductive type theory, whose 
quantifiers range over possibly open LF objects over a signature. In this calculus it is possible to express and induc- 
tively prove meta-logical properties of an object level system. 9*t m can be also seen as a dependently-typed functional 
programming language, and as such it has been refined first into the Elphin programming language [54] and more 
recently in Delphin [47]. In a similar vein the context modal logic of Pientka, Pfenning and Naneski [34] provides a 
basis for a different foundation for programming with HOAS and dependent types based on hereditary substitutions, 
see the programming language Beluga ( [43,44]). Because all of these systems are programming languages, we refrain 
from a deeper discussion. We only note that systems like Delphin or Beluga separate data from computations. This 
means they are always based on eager evaluation, whereas co-recursive functions should be interpreted lazily. Using 
standard techniques such as thunks to simulate lazy evaluation in such a context seems problematic (Pientka, personal 
communication) . 

Weak higher-order abstract syntax [11] is an approach that strives to co-exist with an inductive setting, where the 
positivity condition for datatypes and hypothetical judgments must be obeyed. The problem of negative occurrences 
in datatypes is handled by replacing them with a new type. The approach is extended to hypothetical judgments by 
introducing distinct predicates for the negative occurrences. Some axioms are needed to reason about hypothetical 
judgments, to mimic what is inferred by the cut rule in our architecture. Miculan et al.'s framework [22] embraces 
this axiomatic approach extending Coq with the "theory of contexts" (ToC). The theory includes axioms for the the 
reification of key properties of names akin to freshness. Furthermore, higher-order induction and recursion schemata 
on expressions are also assumed. Hybrid [3] is a A.-calculus on top of Isabelle/HOL which provides the user with a 
Full HOAS syntax, compatible with a classical (co)-inductive setting. Line - improves on the latter on several counts. 
First it disposes of Hybrid notion of abstraction, which is used to carve out the "parametric" function space from the 
full HOL space. Moreover it is not restricted to second-order abstract syntax, as the current Hybrid version is (and as 
ToC cannot escape from being). Finally, at higher types, reasoning via defL is more powerful than inversion, which 
does not exploit higher-order unification. 
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ToC can be seen as a stepping stone towards Gabbay and Pitts nominal logic, which aims to be a foundation of 
programming and reasoning with names. It can be presented as a first-order theory [45], which includes primitives for 
variable renaming and variable freshness, and a (derived) new "freshness" quantifier. Using this theory, it is possible 
to prove properties by structural induction and also to define functions by recursion over syntax [46]. Urban et al.'s 
have engineered a nominal datatype package inside Isabelle/HOL [35] analogous to the standard datatype package but 
defining equivalence classes of term constructors. In more recent versions, principles of primitive recursion and strong 
induction have been added [60]. Coinduction on nominal datatypes is not available, but to be fair it is also absent from 
Isabelle/HOL due to some technical limitations in the automation of the inductive package 

7 Conclusion and Future Work 

We have presented a proof theoretical treatment of both induction and co-induction in a sequent calculus compatible 
with HOAS encodings. The proof principle underlying the explicit proof rules is basically fixed point (co)induction. 
We have shown some examples where informal (co)inductive proofs using invariants and simulations are reproduced 
formally in Line - . 

Consistency of the logic is an easy consequence of cut-elimination. Our proof system is, as far as we know, the 
first which incorporates a co-induction proof rule with a direct cut elimination proof. This schema can be used as a 
springboard towards cut elimination procedures for more expressive (conservative) extensions of Line - , for example 
in the direction of FO\ v [31], or more recently, the logic LG a [57] by Tiu and the logic Q by Gacek et al. [14]. 

As far as future work, we may investigate loosening the stratification condition for example in the sense of local 
stratification, possibly allowing to encode proofs such as type preservation in operational semantics directly in Line - 
rather than with the 2-level approach [26, 32]. More general notions of stratifications are already allowed in practice, 
see the proof by logical relations in [15], but not formally justified. 

Another interesting problem is the connection with circular proofs, which is particularly attractive from the view- 
point of proof search, both inductively and co-inductively. This could be realized by directly proving a cut-elimination 
result for a logic where circular proofs, under termination and guardedness conditions completely replace (co)inductive 
rules. Indeed, the question whether "global" proofs are equivalent to "local" proofs [8] is still unsettled. 
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